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Abstract 

The discrete logarithm problem (DLP) generalizes to the constrained DLP, where the 
secret exponent x belongs to a set known to the attacker. The complexity of generic 
algorithms for solving the constrained DLP depends on the choice of the set. Motivated 
by cryptographic applications, we study sets with succinct representation for which the 
constrained DLP is hard. We draw on earlier results due to Erdos et al. and Schnorr, 
develop geometric tools such as generalized Menelaus' theorem for proving lower bounds 
on the complexity of the constrained DLP, and construct sets with succinct representation 
with provable non-trivial lower bounds. 

1 Introduction 



One of the most important assumptions in modern cryptography is the hardness of the 
discrete logarithm problem (DLP). The scope of this paper is restricted to groups of prime 
order p, where the DLP is the problem of computing x given {g,g^) for x chosen uniformly 
at random from Zp (see the next section for notation). In some groups the DLP is believed 
to have average complexity of @{^/p) group operations. The constrained DLP is defined as 
the problem of computing x given {g,g^) where x is chosen uniformly at random from a 
publicly known set S '^'Lp. 

For the standard DLP there is a well-understood dichotomy between generic algorithms, 
which are oblivious to the underlying group, and group-specific algorithms. By analogy, 
we distinguish between generic and group-specific algorithms for the constrained DLP. In 
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this paper we concentrate on the former kind, i.e., generic algorithms. Our main tool for 
analysis of generic algorithms is the Shoup-Nechaev generic group model |Sho97l IJNec94j . 

The main motivation of our work is the fundamental nature of the problem and the 
tantalizing gap that exists between lower and upper bounds on the constrained DLP. A 
trivial generalization of Shoup's proof shows that the DLP constrained to any set S C Zp has 
generic complexity ^}{^y\S\) group operations. On the other hand, Schnorr demonstrates 
that the DLP constrained to a random S of size ^/p has complexity Q{^/p) = ©d'S'l) 
with high probability [SchDlj . Explicit (de-randomized) constructions or even succinct 
representation of small sets with high complexity, or any complexity better than the square 
root lower bound were conspicuously absent. 

The importance of improving the square root lower bound for concrete subsets of Zp 
is implicit in |Yac98[ FHSOSI IS'J04j . which suggest exponentiation algorithms that are faster 
than average for exponents sampled from certain subsets. These algorithms either rely on 
heuristic assumptions of security of the DLP constrained to their respective sets or use 
the square root lower bound to the detriment of their efficiency. For example, Yacobi pro- 
poses to use "compressible" exponents whose binary representation contains repetitive pat- 
terns |Yac98j . which can be exploited by some algorithms for fast exponentiation. However, 
without optimistic assumptions about the complexity of the DLP constrained to this set 
the method offers no advantage over the sliding window exponentiation. Another method 
of speeding up exponentiation is to generate an exponent together with a short addition 
chain for it |Knu97[ Ch. 4.6.3]. Absent reliable methods of sampling addition chains with 
uniformly distributed last elements, this approach depends on the hardness of the DLP on 
a non-uniform distribution. 

The main technical contribution of our work is the proof that the DLP constrained to 
a set S, which is chosen from an easily sampleable family of sets of cardinality p^/i^-e^ 
has complexity 0(|S'p/^) with probability 1 — 6p~^^^ . At a higher level of abstraction we 
develop combinatorial techniques to bound the complexity of the constrained DLP, which is 
a global property, using the set's local properties. We view our work as a step towards better 
understanding the constrained DLP and possibly designing fast exponentiation algorithms 
tuned to work on exponents from "secure" subsets. 

The structure of the paper is as follows. In Section El we present a number of results 
which are known but otherwise scattered in the literature. In Sections Ol and we give 
new constructions of sets with provable lower bounds on various families of algorithms for 
solving the constrained DLP. 
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1.1 Notation 



We use the standard notation for asymptotic growth of functions, where 

0{g) = {/: N ^ M+ I 3c,no > s. t. < /(n) < cg{n) for all n > no}; 

n{g) = {/: N ^ M+ I 3c,no > s. t. cg{n) < f{n) for all n > no}; 

e(5) = {/:/ = 0(5) and5 = 0(/)}; 
O, ri, — same as O, ri, Q with logarithmic factors ignored; 

Zp — the field of residues modulo prime p; 
X €r S — X chosen uniformly at random from S. 

1.2 Previous work 

Algorithms for solving number-theoretic problems can be grouped into two main classes: 
generic attacks, applicable in any group, and specific attacks designed for particular groups. 
The generic attacks on discrete logarithm include the baby-step giant-step attack jShaTlj . 
Pollard's rho and lambda algorithms |Pol78j as well as their parallelized versions jvOW99[ 
IPolOOj ■ surveyed in |Tes01j . The specific attacks have sprouted into a field in their own 
right, surveyed in |SWD96[ lOdlOflj . 

A combinatorial view on generic attacks on the DLP was first introduced by Schnorr |Sch01j . 
He suggested the concept of the generic DL-complexity of a subset C Zp defined as 
the minimal number of generic operations required to solve the DLP for any element of 
{g^ I X £ S}. He showed that the generic DL-complexity of random sets of size m < ^/p 
is m/2 -|- o(l). In part our work is an extension of Schnorr's paper. The combinatorial 
approach to the DLP was further advanced by |CLS03j which gave a characterization of 
generic attacks on the entire group of prime order. 

Systematically the constrained DLP has been studied for two special cases: Exponents 
restricted to an interval and exponents with low Hamming weight. Pollard's kangaroo 
method has complexity proportional to the square root of the size of the interval PolOO] . 
The running time of a simple Las Vegas baby-step giant-step attack on low- weight exponents 
is 0{\/i(^j^^), where n is the length and t is the weight of the exponent |Hei93^ (for 
a deterministic version see |Sti02j . which credits it to Coppersmith). See |CLP05j for 
cryptanalysis of a similar scheme in a group of unknown order. 

Erdos and D. Newman studied the BSGS-1 complexity (in our notation) and asked 
for constructions of sets with a high (better than a random subset's) BSGS-1 complex- 
ity pN77j . 

1.3 Generic algorithms 

The generic group model introduced by Shoup and Nechaev |Sho97[rNlec94j provides access 
to a group G via a random injective mapping a : G — > S, which encodes group elements. The 
group operation is implemented as an oracle that on input {(j{g), a{h),a, f3) outputs a{g"'hf^) 
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(for the sake of notation brevity we roll three group operations, group multiplication, group 
inversion, and group exponentiation, in one). Wlog, we restrict the arguments of the queries 
issued by algorithms operating in this model to encodings previously output by the oracle. 

The discrete logarithm problem for groups of prime order has a trivial formalization in 
the generic group model: 

Given p, a{g),a{g^) where g has order p and x Zp, find x. 

The proof sketch of the theorem below, which is essentially the original one due to 
Shoup, is reproduced here because it lays the ground for a systematic study of complexity 
of algorithms in the generic group model. 

Theorem 1 ([Sho97]) Let A be a probabilistic algorithm and m be the number of queries 
made by A. A solves the discrete logarithm problem in a group of prime order p with 
probability 

FT[A{p,aig),aig^)) = x] < ^JI^lll + i. 

2p p 

The probability space is x, A's coin tosses, and the random function a. 

Proof [sketch] Instead of letting A interact with a real oracle, consider the following game 
played by a simulator. The simulator keeps track of two lists of equal length Li and L2: the 
list of encodings cii,. . . ,crt £ T, and the list of linear polynomials aix + bi,. . . ,atx + bt G Zp[x]. 
Initially Li consists of two elements ai and (T2, which are the two inputs of and L2 consists 
of 1 and x. When A issues a query {ai,aj,a,f3), the simulator fetches the polynomials 
OjX + bi and ajx + bj from L2, computes a = aoi + Paj and b = obi + (3b j and looks up 
ax + 6 in L2. ax + b = a^x + b^ for some /c, the simulator returns as the answer to the 
query. Otherwise, the simulator generates a new element at+i £r S \ Li, appends at+i to 
Li and ax + b to L2, and returns at+i- 

A terminates by outputting some y G Zp. The game completes as follows: 

1. The simulator randomly selects x* €r Zp. 

2. Compute OiX* + 6j for all i < m + 2. If OjX* + 6^ = OjX* + bj for some i 7^ j, the 
simulator fails. 

3. A succeeds if and only if x* = y. 

Observe that the game played by the simulator is indistinguishable from the transcript of 
^'s interaction with the actual oracle unless the simulator fails in step 2. Since for any two 
distinct polynomials OjX + bi and ajx + bj the probability that a^x* + bi = ajX* + bj is at 
most 1/p, the probability that step 2 fails is at most (m + 2)^/2p. Finally, we observe that 
the probability that A wins the game in step 3 is exactly 1/p, which completes the proofD 
It follows from the proof that the probability of success of any probabilistic adaptive 
algorithm for solving the discrete logarithm in Zp in the generic group model can be com- 
puted given the list of the linear polynomials induced by its queries. This observation leads 
us to the concept of generic complexity defined in the next section. 
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2 Generic Complexity 



Definition 1 (Intersection set) For a set of pairs L C Z^, we define its intersection set 

/(L) = {x G Zp I 3(a, 6), (a', 5') S L s.t. ax + 6 = a'x + h' and (a, 6) ^ (a', 6')}. 

The set of pairs from tlie above definition corresponds to the set of queries asked by the 
generic algorithm. Its intersection set is the set of inputs on which the simulator from the 
proof of Theorem n fails. 

Definition 2 (L recognizes an a- fraction of S) For L C S O Zp, and < a < 1 

we say that L recognizes an a-fraction of the set S if 

\SnI{L)\ > a\S\. 

Definition 3 (Generic complexity) The set S '^Zp is said to have generic a-complexity 
m denoted as Cq,(S) if m is the smallest cardinality of a set L recognizing an a-fraction of 
S. 

Our definition of generic complexity is slightly different from a similar concept of the 
generic DL-complexity put forth by Schnorr. We only require that the intersection set I{L) 
covers a constant fraction of S rather than the entire set |Sch01j . Our definition better 
matches the standard practice of cryptanalysis, when an attack is considered successful if 
it succeeds on a nontrivial fraction of the inputs. Moreover, our bounds exhibit different 
scaling behavior as a function of a, and by parametrizing the definition with a we make 
the dependency explicit. 

Proposition 1 ( [SchOl] ) For any S" C Zp the generic a-complexity of the set S is bounded 
as 

y^2a\S\ <Ca{S) < a\S\/2 + 3. 

Proof The lower bound follows from the fact that for any L C the cardinality of 
the intersection set is bounded as |/(-^^)| < \L\'^/2. Therefore, in order to cover at least an 
a-fraction of the set, \L\'^ /2 must be more than a\S\. 

The upper bound is attained by the following construction. If 2m > a\S\ and {xi, . . . , X2m} ^ 
S, then an a-fraction of S is recognized by L of size m + 2 defined as 

L = |(0,0), (0, 1), (^— , ^^), . . . , ( ^ , ) 

[ X2 - Xi Xi - X2 X2m " X2m~l X2m~l " X2m 

since x,- and x,_i are the x-coordinates of the points of intersection of the line (- 
with lines y = and y = 1 respectively. □ 
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Proposition 2 < Ca(Zp) < 2[^/ap]. 
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Proof The lower bound on Co(Zp) is by Proposition ^ The upper bound is given by the 
set L = {(0,i), (1, | < i < A}, where A = [y^ap]. Indeed, 

I{L)= U /({(0,z),(l,-Aj)}= U {Ai + i}, 

0<i,j<A 0<jj<A 

which covers [0, ap). □ 
A tighter (up to a constant factor) bound in the general case and exact values for Ci(Zp) 

for small primes p < 100 appear in |CLS03j . 

Since the generic complexity is a monotone property, it follows that for any set S" C Zp 

Co^iS) < min(a|5|/2 + 3,2[V^l). 

Now we are ready to establish the connection between the generic complexity of a set 
and the discrete logarithm problem. 

Theorem 2 Let S C Zp, As be a generic algorithm that makes m < CaiS) queries and 
outputs a number from Zp. Then its probability of success is bounded as^ 

Fi[As{(T{g),a{g'-')) = x] < a + 

where the probability is taken over A 's random tape, the oracle answers, and x S. The 
above bound is tight, i.e., for any set S there is a generic algorithm whose query complexity 
is Ca{S) and probability of success is at least a + 1/|5'|. 

Proof [sketch] The proof essentially follows that of Theorem ^ Let L be a set of pairs 
(oj, bi) constructed by the simulator and x* S be its choice for x. The adversary succeeds 
in two cases: either x* belongs to the intersection set of L or x* is the output of As- The 
first probability is at most \I{L) n -S'l/IS'l < a as long as m < Ca{S), the second probability 
is exactly 1/|5'|. 

The tightness property follows from the definition of generic complexity. Let L be the 
set of pairs of size Ca{S) so that \Sr\I{L)\ > a\S\. Query the oracle {a{g^),a{g),a,b) for 
all pairs (a, 6) G L. With probability \I{L) n S'l/ISI there is a collision that gives away x, 
otherwise make a guess that succeeds with probability l/l-S \ I{L)\. □ 

Notice that the theorem above is unconditional and the adversary is computationally 
unbounded. In particular, the adversary is given full access to S and can design an S- 
specific algorithm. As long as the algorithm has only oracle access to the group, Ca{S) is 
a lower bound on the number m of oracle queries needed by the algorithm to succeed with 
probability at least a + 1/\S\. 

We know that Ca{S) can be negligible compared to \S\ (for instance, according to 
Proposition 12 when 5 = Zp, |5| = p but its generic complexity is 0{y/p)). Since the 
generic complexity is intimately related to the query complexity of any discrete logarithm- 
solving algorithm, we would like to build sets with higher generic complexity. The next 
theorem demonstrates that for a fixed p a random set of size less than ^ has a near-linear 
generic complexity. 

^This statement is stronger than the one in the proceedings version. 
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Theorem 3 For a random subset S Zp of size for some constant e < 1/2 its generic 
a- complexity is at least 

US) > ^ 

mp 

with probability 1 — 1/p for large enough p. 

Proof The proof is by a counting argument. We shall bound the number of the sets S 
of size k = p^ whose a-fraction can be recognized by a set L of size 5k, when e < 1/2 and 
6 = a/lnp. Suppose \L\ = 5k and \I{L) H S\ > ak, where S is to be constructed. There 
are (^^) subsets L C of size 5k. The intersection set I{L) has size at most {5k)'^ and 

contains at least ak elements which belong to S. There are thus at most (^^) {^^^^ ) distinct 
possibilities for these ak elements. The (1 — a)-fraction of S can be chosen arbitrarily from 
Zp, in ((xJ^Q,)fc) many ways. In total the number of subsets S of generic complexity 5k and 

cardinality k is bounded by (^^) (^"^^ ) {{i~a)k)- Using (^) < (ne/k)^ for any < A; < n and 
x^^ < 1.5 for any x > we bound the product as 

4p25+{l-Q)^2Q^-5+2a-lg5+ll'' ^ ^ 2p2<5+{l-a) ^2a^-5+2a-ll _ 

We want this number to be less than a 1/p-fraction of the number of subsets of Zp of size 
k, which is l/p(^) > l/p{p/k)^ . By taking the A;th root of both numbers and substituting 
k = p^, we arrive at the following inequality: 

-^2^2ap25+(l-a)+e{-<5+2Q-l)+p— ^ ^l-e^ 

Notice that the inequality holds for 5 < a{l — 2e) if e < 1/2 and for 5 < a/lnp if e = 1/2. 
When £ is constant and p is large enough, 5 = a/lnp < a{l — 2e). □ 

The bottom line of the theorem we just proved is that hard sets (where the discrete 
logarithm is hard to compute using a generic algorithm) are easy to come by. In fact, 
almost any set has high generic complexity (also previously observed in |Schnij ). 

In what follows we sharply lower the amount of randomness that is required to provide 
any non-trivial guarantee of generic complexity. 



3 More complexities and lower bounds 

Many sets of group elements with special properties may be attacked using a baby-step 
giant-step method. In this method the attacker first computes g^^,...,g^"^ (giant steps) 
and then compares them against g"'^^^^''-,. . . ^g°-^^^^-^ (baby steps). Any collision between 
a baby step and a giant step gives away x. We define the complexity of this method along 
the lines of the generic complexity from the previous section. 
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Definition 4 (Intersection set-2) For a set of pairs L C and a set of points C C Zp, 
we define their intersection set as 

I{L, C) = {x £ Zp \ 3{a, b) £ L,c £ C s.t. a ^ and ax + h = c}. 

Definition 5 (Baby-step giant-step complexity.) The set S Q Zp is said to have the 
baby-step giant-step a-complexity (BSGS complexity for short) m denoted as C^^^{S) if m 
is the smallest integer such that there exist L C Z^ and C Zp, with \L\ = \C\ = m and 
\I{L,C)nS\ > a\S\. 

An important particular case of the baby-step giant-step method is when all lines defined 
by L are parallel (i.e., all aj = 1). 

Definition 6 (BSGS-1 complexity) The set S Q T^p has BSGS-1 a-complexity m de- 
noted as Ca''^^^{S) if m is the smallest integer such that there exist L C {1} x Zp and 
C C Zp, with \L\ = \C\=m and \I{L,C)nS\ > a\S\. 

Equivalently, Ca^^^^{S) is the smallest integer n such that there exist X,Y Ci Zp, with 
n = \X\ = \Y\ and IS* H {X — Y)\ > a\S\, where X — Y is the set of pairwise differences 
between X and Y. The intersection sets from the three definitions of complexities appear 
in Fig. n 




/{{{I, bi), (1, 62), (1, ba)}, {ci, C2, C3}) 7({(ai, 61), (aa, 62), (as, 63), (a4, 64), (as, bs)}) 

I({{ai,bi), (02,62), (03,63)}, {ci,C2,C3}) 

Figure 1: Intersection sets for BSGS-1, BSGS, and generic complexities. 

The problem of computing Ca^^^^ (S) is superficially similar to a number of problems in 
additive number theory concerned with studying properties oi X — Y. However, our goal 
is fundamentally different since we require that X — Y cover a large fraction of S rather 
than be its exact equal. To the best of our knowledge, the only paper in the literature 
directly applicable to bounding C5''^^'^^(5) is a 1977 paper by Erdos and Newman |EN77j . 
They proved analogues of our Theorems 01 and IHl and bounded the BSGS-1 complexity (in 
our notation) of the set of small squares {x \ x < 
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open the problem of constructing sets with a strictly linear BSGS-1 complexity (without 
the 1 / log p factor) . 

The BSGS and BSGS-1 complexities provide useful upper bounds for the generic com- 
plexity. 

Proposition 3 \C,,{S) < Ca^'{S) < Ca^'\S). 

Proof Let C" = {0} x C = {(0, c) | c G C}. Then /(L, C) C I(L U C"), which implies the 
first inequality. The second inequality follows from the fact that any BSGS-1 attack is also 
a BSGS attack. □ 
Consider, for example, the baby-step giant-step attacks on exponents with low Hamming 
weight |Hei93l ISti02j . Define Sx = {x £ Zp \ i^{x) = A|x|}, where iy{x) is the number of 
ones in the binary representation of x. Stinson |Stin2j estimates the complexity of the 
randomized algorithm due to Coppersmith to yield 

Cj'jf (5a) = 0(//2'°S2('"(^-")'")). 

For instance, if A = 1/4, the bound becomes €^^2^^ {S0.25) = O^p^'^'^^). 

Following Propositions [21 131 and Theorem El the BSGS-1 a-complexity of a set of car- 
dinality less than y/p lies between a|5'|/2 and 2y^ap, where the lower bound is trivial 
and the upper bound is approximated up to a logarithmic factor by almost any subset of 
size y/p. In this section we construct a set with succinct representation and a non-trivial 
BSGS-1 complexity. We start by stating without proof an important combinatorial lemma 
known as the Zarankiewicz problem jZar51j : 

Theorem 4 IBoW^ Ch. IV. 2] Let Z{n,s,t) be the maximum number of ones that can be 
arranged in an nxn matrix such that there is no all-one txs (possibly disjoint) submatrix. 
Then 

Z{n,s,t)<s'/'n^~'/\ 

Notice that the asymptotic of the bound on Z{n, s, t) depends on the smallest of the two 
dimensions of the prohibited all-one submatrix. It is known that the bound is tight (up to 
a constant factor) for t = 2,3. 

Our second combinatorial tool follows from a more general upper bound due to A. Naor 
and Verstraete on the number of edges in a bipartite graph without cycles of length 2k 
(C2fc-free graph): 

Theorem 5 ([NV05]) The maximum number of edges in a C2fc-/ree {n,n) -bipartite graph 
is less than 2kn^^^^^ . 

When k = 2 the two theorems overlap. Indeed, a 0-1 matrix is also a bipartite graph, 
where the rows and columns form the vertex set and the non-zero elements indicate adja- 
cency of corresponding vertices. In this case an all-one 2x2 submatrix represents a cycle of 
length 4 in the graph. Our theorems fully reflect this relationship: TheoremOcan be proved 
using either the Zarankiewicz or the Naor- Verstraete bound; its generalization Theorem [71 
makes use of C2fc-free graphs, while Theorems |H1 and (HI apply the Zarankiewicz bound. 
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Theorem 6 Suppose S ^'Lp has the property that all pairwise sums of different elements 
of S are distinct. Then 

Cl^'^'HS) > (a 1 51/^/2)2/3. 

Proof Take X,Y C Zg, such that n = \X\ = \Y\ and \S n {X - Y)\ > a\S\. Consider an 
nxn matrix M, whose rows and columns are labeled with elements of X and Y respectively. 
For each element s £ S D {X — Y) find one pair x £ X and y £Y such that s = x — y and 
set the (x, y) entry of the matrix to one. Since X — Y covers at least an a-fraction of S, 
the number of ones in the matrix is at least a\S\. 

We claim that M does not contain an all-one 2x2 submatrix. Assume the opposite: 
The submatrix given by elements xi,X2 and yi,y2 has four ones. It follows that all four 
sii = xi-yi, si2 = xi-y2, S2i = X2-yi, S22 = X2-y2 e S. Thensii+S22 = S12+S21, which 
contradicts the assumption that all pairwise sums of elements of S are distinct. Applying 
the Zarankiewicz bound for the case s = t = 2, we prove that 

a\S\ < Z{n,2,2) < V2n'^-^/^ = V2n^/^, 

which implies that n = Ca'^'^(5) > {a\S\/V2f/\ □ 
The sets where sums of pairs of different elements are distinct are known in combina- 
torics as weak Sidon sets. They are closely related to (strong) Sidon sets, also called B2 
sequences, where all pairwise sums (of not necessarily different elements) are distinct (for a 
comprehensive survey see |0'Br)4j that includes more than 120 bibliographic entries). Ex- 
plicit constructions of Sidon subsets of {1, . . . , n} due to Singer and Ruzsa have cardinality 
at least ^/n - n-^^^ |Sin38[ IB(;fi3[ IKnz93l IRHPOIj . 

We additionally require that the sum s be different modulo p. The size of such sets is 
bounded from above by p^^'^ + 1 HHOn4 Theorem 3]. The easiest shortcut to constructing 
weak modular Sidon sets is to take a strong Sidon subset of {0 . . . [p/2j } (see also |U'B021 



Ch. 3] and |(TS8nj ). Denser Sidon sets may be constructed for primes of the form p = 
q'^ + q + l, where q is also prime |Sin38j . Existence of infinitely many such primes is implied 
by Schinzel's Hypothesis H and their density follows from the even stronger Bateman-Horn 
conjecture [Guy 04, A]. Interestingly, modular Sidon sets are useful not only in constructing 
sets with high complexity, via TheoremEl but also for solving the discrete logarithm problem 
inZp (HLSnHl. 



4 Beyond the Basics 

Theorem IS] can be generalized to make use of Sidon sets of higher order. First, we prove 
that if all fe-wise sums of elements of S are distinct (counting permutations of the same 
fc-tuple only once), then there is a bound on the BSGS-1 complexity. Second, we provide a 
result that there exist such sets of size Q{p^^^). 

Theorem 7 Suppose S CI Zp is such that all k-wise sums of different elements of S are 
distinct (excluding permutation of the summands). Then 
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Proof Take X,y C Zp, such that C ^"'(5) = \X\ = \Y\ = n and \S n {X - Y)\ > a\S\. 
Instead of the matrix as in Theorem El consider a bipartite graph G{X,Y), where there is 
an edge (x, y) if and only 'd x — y G S (keep only one edge per element of S). 

We claim that there are no 2fe-cycles (without repetitive edges) in the bipartite graph 
G. Assume the opposite: There is a cycle (xi,yi,..., Xk-,yk-,xi-,yi)- Consider two sums: 

{xi - yi) + (x2 - 2/2) H h {xk - yk) and (x2 - yi) + (^3 - 2/2) H h (xfc - yk-i) + (xi - y^). 

Not only are the two sums equal, they also consist of k elements of S each, and these 
elements are all distinct (as every element of S appears as an edge of G at most once). A 
contradiction is found. 

The number of edges in an (n, n)-bipartite graph without 2A;-cycles is less than 2kTi}'^^/^ 
(TheoremEI. Therefore a\S\ < 2W+l/^ and n = Cjj'^'^(S) > {a\S\/{2k))^/^''+^l □ 

Bose and Chowla give a construction for subsets of {1, . . . , g'^} of prime size q whose 
k-wise sums are distinct (in integers, not modulo p) |B(]63j . By choosing the largest prime 
q less than p^^^ (which, for large p is more than p^^^ _p0-525/k jBHPOlj ) an interval of length 
q^'/k with a 1/k proportion of the set's elements, we guarantee that all /c-sums are distinct 
in Zp as well. Unfortunately, ^BC63j does not provide an efficient sampling algorithm. 

Along the lines of Theorem IS] we prove that other verifiable criteria imply non-trivial 
bounds on the BSCS and generic complexity. 

Theorem 8 Suppose S QI^p is such that for any distinct xi,X2,yi, y2,zi,Z2 G S: 

deth-y^ ^^-^^Uo. (1) 

\yi - Zl y2- Z2j 

Then 

Cl'^\S) > (a|5|/V3)2/3. 

Proof Take L C and C C Zp, such that |L| = |C| = n and |/(L, C) n 5| > a\S\. As in 
Theorem IHl consider the nxn matrix M whose rows and columns are labeled with elements 
of L and C respectively. For each element s G S D I{L, C) set one entry in row (a, b) and 
column c to one, where s = (c — b)/a. Thus, the total number of ones in the matrix is 
exactly m = \I(L,C) D S\. If there is a 2 x 3 all-one submatrix in M, then property 
does not hold (three parallel lines divide two other lines proportionally). The Zarankiewicz 
bound implies that 

a\S\ < Z{n,3,2) < VSn"^'^/^ = VSn^/^. 

Hence Ca'^'iS) =n> {a\S\/V3f/^. □ 
Constructing a large subset of Zp with short description satisfying the condition of the 
previous theorem is a difficult problem. Fortunately, the probability that a random 6-tuple 
of Zp elements fails to satisfy is 2/p 'SchSO . This observation motivates the following 
definition: 

Definition 7 (S{N,k) family) Let S{N,k) = {xi, . . . , xn} be a family of subsets ofZp, 
where xi, . . . ,xi\i : /C ^ Zp are k-wise independent random variables (7C is the probability 
space). 
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Properties of S{N, k) are established in the fonowing proposition: 

Proposition 4 1. S{N,k) can be defined over K = Z^. 

2. For k > I, ^Tse^s{N,k)[\S\ ^ N\ < N^/p. 

3. If h £ Z[yi, . . . , j/fe] and d = deg(/i) > 0, then 

Pr [3 distinct zi, . . . ,Zk G S with h(zi, . . . , z^) = 0] < N^d/p. 

SGS(N,k) 

Proof 1. To construct S{N,k) we use a well-known fc-universal family of functions 
(following |CW77j l. Let the probability space be /C = and fa{x) = ak-ix^~^ + • • • + oo 
for a = (ao, . . . , Qfc-i) G IC. Define the random variables Xi = fa{i)'- K, ^ lip for 1 < 
i < N. We claim that the variables xi, . . . , xn are /c-wise independent. This follows from 
the system fa{ii) = Vi,- ■ ■ , fa{ik) = Uk having a unique solution a G /C for any distinct 
ii, . . . ,ik G {1, . . . , N} and yi, . . . ,yk G Zp. Notice that any S G S{N, k) can be easily 
enumerated and sampled from. 

2. Let lij be the indicator variable, which is equal to 1 when Xi = Xj and otherwise. 
The cardinality of S = {xi, . . . ,xj\f} is at least N—'^-^j lij. Since Xi and Xj are independent 
for all i / j, E[Iij\ = 1/p. By linearity of expectation, the expected value E^^^^-Iij] < 
N^/p. By Markov's inequality Pr[|S'| / iV] = Pri'^-^j > 1] < N'^/p. 

3. Let Ii-^^...^if. for all distinct 1 < ii,...,ik < N he the indicator variable that 
is 1 if and only if h{xi-^,. . . ,Xi^) = 0. By independence of the variables and [SchSOj 
E[Ii^,...,if,\ < 2/p, which by linearity of expectation and Markov's inequality implies that 
Pr^p distinct xi, . . . , G S" with h{xi, ...,Xk) = Q\< PrsEii ik ^n,-,ik > 1] < N''d/p. 
□ 

It follows that a randomly chosen set from the family 6) has size p^/^~'^ with 

probability at least 1 — j)~2/3 satisfies the condition of Theorem |H1 with probability at 
least 1 - 2p-^^. 

To apply a similar argument to the all-powerful generic complexity, we may show that 
for small constants rui and m2, the projections on the x axis of the intersection points of an 
irregular mi by m2 grid (in which lines need not be parallel) satisfy a certain relationship. 
Next, a set S, where any mim2-tuple avoids this relationship, is to be constructed. 

Let us see first why this argument works for some values of nii and m2, and then improve 
the parameters. Let mi = 4 and m2 = 5. There are 9 lines that can be described using 
18 parameters. On the other hand, there are 20 points that form the intersection set of 
these lines. Each of the 20 intersection points imposes a linear equation on the parameters, 
and hence the system is overdetermined (even if we exclude linearly dependent equations) . 
In particular, this implies that the probability that a random 20-tuple of elements of Zp is 
coverable by a 4 x 5 grid is negligible. We refine this argument in the following proposition. 

Proposition 5 (Bipartite Menelaus' theorem) Consider seven lines lx,y,z,h,2,3,4 form- 
ing an irregular grid, and their twelve intersection points. Let Xi,yi,Zi be projections on the 
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xi + y2 = X2 + yi 
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Figure 2: "Prohibited" configurations (Theorems IHl El and |H1 Proposition 1^1) . 



X axis of the intersection points of li with lines lx,ly,lz- Then the following holds: 



det 
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- yi 


Xi 


- Zl 


2:i(xi 


- 2/1) 


V\{x\ 




X2 


-2/2 


X2 


- Z2 


^2(3^2 


- 2/2) 


2/2(3^2 


-Z2) 


X3 


-2/3 


X3 


- 23 


2^3 (2:3 


- 2/3) 


2/3(3^3 


-Z3) 


\X4 


- 2/4 


Xi 


- ^^4 


2:4(^4 


- 2/4) 


2/4(3^4 


-z,)l 



Proof Denote the 4x4 matrix in ((2) by M. Observe that if any of the seven lines is 
vertical, @ follows immediately. Indeed, if ly = {x = const}, then 2/1 = 2/2 = 2/3 = 2/4 
and the second and the fourth columns of M are linearly dependent. Moreover, det M is 
invariant under permutations of Ix^ly, and Iz-, which takes care of vertical ly or 1^. If h is 
vertical for some 1 < ^ < 4, then the ith row of M is all-zero, and det M = 0. 

If none of the lines is vertical, we can write down equations for all of them in the 
Cartesian coordinates. Let lx,y,z = {0'x,y,zX + bx^y^z} and li = {qx + di} for 1 < i < 4. Each 
intersection point imposes an equation on the parameters of the two lines incident with it, 
a total of 12 equations in 14 unknowns. However, the system always has a trivial solution, 
when all lines are equal. Rewrite the system using new variables: ay = ay — ax, by = by — bx, 
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o-z = CLz — ax, bz = bz — bx, ci = ci — Ux, di = di — bx, etc. The result is a homogenous 
system of 12 hnear equations in 12 new variables. It has a non-zero solution if and only if 
its matrix is singular (only non-zero elements are shown): 



M' 



X2 
Z2 



\ 



X3 
Z3 



X4 
2/4 

Z4, 



-Xl 



X2 



X3 



X4 



-1 



-yi 



2/2 



-2/4 



Zl 



Z2 



Z3 



-za 



\ 



-1 



One can verify that det(M) = det(M'). □ 
In the full version of the paper we give a geometric proof of the proposition, deriving ((2) 
directly, and explain the connection with classic Menelaus' theorem. We also give an 
alternative statement of the theorem, which puts it in the realm of projective geometry. 

Proposition 13 is the "minimal" condition that holds for the x-coordinates of the inter- 
section points of two sets of lines in general position. Indeed, it follows from the proof that 
for any assignment of distinct values to the eleven variables xi^2,3,45 2/1,2,3,4, -21,2,3 there is a 
configuration of lines whose intersection points project to those variables. Other configura- 
tions with as many or fewer intersection points do not produce any conditions either. For 
example, six lines intersecting two lines can project to any collection of twelve points. 
All geometric arguments (Theorems IHl H and|Sl Proposition [S]) are illustrated in Fig. [2 

Theorem 9 If S is chosen from 5(p^/^^^^, 12), then with probability at least 1 — 6p~^^^ 

Ca{S) > {a\S\/nf/'. 

Proof Consider the set of lines L C Zp such that Ca{S) = \I{L) n S\ and n = \L\. As in 
Theorem IHl we apply the Zarankiewicz bound to the nx n matrix, only now both the rows 
and the columns are labeled with elements of the set L. Similarly, only one occurrence of 
an element of S as the x-coordinate of the intersection of two distinct lines is recorded in 
the matrix. 

According to Proposition^ S avoids solutions to the equation ((2}, whose left-hand side 
is a multivariate polynomial of total degree 6, with probability greater than 1 — 6p~^^^. 
Therefore the probability that there exist 12 points in S that can be the intersection set of 
two groups of lines consisting of 3 and 4 lines respectively is less than 6p^^^^ . Finally, as 
before, a\S\ < Z(n,4,3) < 41/3^2-1/3 = ^n^/^ = ^Ca{Sf/^. □ 
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Unlike the proofs of Theorems IHl and |H1 where the classes in which the lines are 
grouped arise naturally, the use of bipartite Menelaus' theorem in the analysis of generic 
complexity above might appear less motivated. In fact, classic Menelaus' theorem imposes 
a simple condition (a cubic equation) on the intersection set of four lines. It is the second 
step of the argument, where we translate absence of a certain submatrix (subgraph) into 
sparseness of the entire matrix, which becomes problematic: Unless H is bipartite, H-fiee 
graphs on n vertices may have as many as 0(n^) edges according to the celebrated Turan 
theorem |Rol98l Ch. IV.2]. 



' Theorem El 



Theorem El 




bsgsl ^ 



Theorem ElfCi^ '^g^) 
Theorem KCi) 



Figure 3: Generic complexities and bounds (in logscale). Propositions (21 and Abound the triangle that 
contains all possible values for generic complexity. The theorems point to lower bounds provable for 
complexities of their respective constructions. 



5 Conclusion 

In this paper we develop a theory of lower bounds in the generic group model on the discrete 
logarithm problem constrained to a subset 5" C known to the attacker (constrained DLP). 
We give a first construction of a set with succinct description whose generic complexity is 
more than the square root of its size (Theorem]^ . There exists an apparent gap between our 
construction (\S\ = 'p^l^'^ and Ci(S') = jS*!^/^) and a random set of size p^/^ whose complexity 
is almost linear in its size. Bridging this gap constitutes an interesting open problem whose 
solution would shed some light on the intrinsic difficulty of the discrete logarithm problem. 
We also define restricted versions of the generic complexity that capture the complexity 
of baby-step-giant-step algorithms. We give an explicit, deterministic construction of a 
collection of sets, whose complexity in respect to the weakest family of baby-step-giant-step 
algorithms becomes near-optimal as their size decreases (Theorem ITJ. Various bounds and 
constructions are put together in Fig. |31 
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A Bipartite Menelaus' Theorem 

Let us first recap the classic Menelaus theorem. 

Theorem 10 (Classic Menelaus) Consider four directed lines intersecting at six points 
(see Fig. ^^). Then 

AD ■ BF ■ CE = BD ■ CF ■ AE, (3) 

where the segments' lengths are signed, i.e., positive if their direction agrees with that of the 
line they belong to and negative otherwise. 

Less known is that ((SJ is equivalent to the following: 

(DB AD AB\ 
det [bC EC Bf\= 0. (4) 
\ED DF EE/ 

One way to interpret the theorem is to add an x-axis to the drawing and consider 
projections of the intersection points onto this axis. Since the ratios of signed collinear 
segments are invariant under orthogonal projection, Q implies that 

{xA - xd) ■ {xB - xf) ■ {xc - xe) = {xB " xd) ■ {xc - Xp) ■ {XA - Xe), (5) 

where xa is the x-coordinate of A, etc. 

We may reverse the Menelaus theorem and ask whether a given six-tuple can be the 
projection of the intersection points of four distinct lines. It is easy to check that © is not 
only necessary but is also a sufficient condition for such four lines to exist. 

A natural extension of the classic Menelaus theorem is to consider other configurations 
(combinations of lines and their intersection points). Generalized Menelaus theorem (a line 
crossing a polygon) that corresponds to the wheel graph is well known. Below we prove the 
smallest possible "bipartite" Menelaus theorem. 
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Figure 4: Classic and bipartite Menelaus' theorems and their intersection graphs. 

Theorem 11 (Bipartite Menelaus) Consider seven directed lines ^a, 6,0 ^1,2,3,4 forming 
an irregular grid (see Fig.\^) and their intersection points Ai, Bi, Ci. Then the following 
holds: 

A1A3 • A2C2 ■ A^Ci ■ BiCi ■ B2B4 • B3C3 + A2A4 • AiCi ■ A3C3 • B1B3 ■ B2C2 • B4C4 

= A3A4 ■ AiCi • A2C2 • B1B2 ■ B3C3 ■ B^Ci + A2A3 ■ AiCi ■ A^Ci ■ B1B4 ■ B2C2 • B3C3 

+ A1A2 • A3C3 ■ A4C4 • BiCi ■ B2C2 ■ B3B4 + A1A4 ■ A2C2 • A3C3 • BiCi ■ B2B3 ■ B4C4. 

(6) 

The segments are signed as before. 

Proof Add to the drawing the x axis, which is neither paraUel nor orthogonal to any of 
the seven lines. For i G {1,2,3,4} let Xi,yi,Zi be the projections of Ai,Bi,Ci respectively 
onto this axis. Then the theorem's claim © can be rewritten as follows: 

(xi - X3){X2 - Z2){X4, - 24)(j/l - 2l)(j/2 ~ ?/4)(j/3 - 23) +(x2 - X4,){xi - Zi){x3 - 23)(?/l - J/3)(?/2 - 22)(?/4 - 24) 

= (x3 - X4){xi - zi){x2 - Z2){yi - y2){vi - Z3){y4 - 24) +{x2 - X3){xi - zi){x4 - Z4,)(yi - y4)(y2 - Z2){ys - 23) 

+ (xi - X2){X3 - Z3){X4, - 24)(j/i - 2i)(l;2 - 22)(j/3 - 2/4) +{xi - X4,){x2 - 22)(x3 - 23)(l/l - 2i)(j/2 - J/3)(y4 - 24). 
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det 



0. 



(7) 



With a help of a symbohc calculator it is easy to verify that the above formula is equiva- 
lent to: 

(xi-yi xi-zi zi{xi-yi) yi{xi - zi)\ 

X2-y2 X2-Z2 Z2{x2-y2) y2{x2-Z2) 
XS-ys X3-Z3 Z3{x3-y3) y3{x3-Z3) 

\x4 - 2/4 X4 - Z4 Zi{x4 - yi) y^ix^ - z^)/ 

Observe that (O is invariant under all configuration-preserving permutations of the lines 
la,b,c and ^1,2,3,4; which is less than obvious given only the original statement. 

The proof consists of two substantially different cases. 
Case I. There exist two lines, say, la and lb, so that Ai 7^ Bi for all i S {1,2,3,4}. By 
appropriately scaling and translating the y axis we can make la = {x = y}. The rest of the 
proof will be done in the homogenous coordinates. Let = (1 : — 1 : 0) and = (a : /? : 7). 
Since la and l^ are not equal, either 7 7^ or a 7^ — /3. For i G {1,2,3,4} the intersection 
point of and k projects to Xi, and therefore Ai = lan(l : : —Xi) = (xj : Xi : 1). Likewise, 
Bi = {(3yi : —7 — ayi : (3). The two (distinct!) points uniquely define U: 

k = {xi(3 + -f + ayi: -Xifi + (5yi : -7X4 - axiyi - (3xiyi). 

The four lines li for i G {1,2,3,4} intersect with the vertical lines (1:0: —Zi) at the 
following points that must be collinear (as they all lie on Ic): 



Ci = iPzi{xi - yi) : -f{zi - Xi) - [3xi{yi - Zi) + ayi{zi - Xi) : j3{xi - yi)). 



(8) 



The points are collinear if and only if the 3x4 matrix whose zth line is (jHl) has rank less 
than 3. Rank-preserving transformation of these matrix reduce it to the matrix M with 
the following ith line (we may divide by /3 7^ because is not vertical): 

Zi{xi - yi), {zi - Xi)(7 + (a + P)yi),Xi - yi. 

Since matrix M has rank less than 3 for some a, f3, and 7 subject to the condition that 
either 7 7^ or a 7^ — /?, it is equivalent to the following 4x4 matrix being singular, which 
implies ((7|): 



/ziixi 

Z2{X2 
Z3{X3 

V 24(^4 



2/ij 

2/2) 
ys) 
y4) 



Zl 
Z2 
Z3 
Z4 



Xl 
X2 
X3 
X4 



(zi 

iz2 
iz3 

{za 



xi)yi 

X2)y2 
X3)y3 

3:4)2/4 



Xl 
X2 
X3 
X4 



yi\ 
y2 
ys 
2/4/ 



Case II. For any two lines from la,lb,ic there is some li going through their intersection. 
Reorder the lines so that Ai = Ci, B2 = C2, and A3 = B3 (see Figure ]^ . 
Plugging the identities into © we reduce it to 

j4i^3 • i?2-B4 • Ai^C^ = B2B3 • Ba^C^ • AiAii, 

which is true by classic Menelaus' theorem. □ 
We note that Theorem ^2 is the "minimal" projective theorem that holds for the inter- 
section points of two sets of lines in general position. Indeed, it follows from the proof that 
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Figure 5: Degenerate case. 



for any assignment of the eleven variables xi^2,3,4) yi, 2,3,4) -21,2,3 there is a configuration of 
lines whose intersection points project to those variables. This is because there always exist 
a, /3, 7 such that 7/0ora + /37^0 and Ci, C2, C3 as defined in © are collinear. Hence 
no projection-invariant equation can be imposed on the lengths of the segments that would 
not include all the twelve points. Other configurations with as many or fewer intersection 
points are of no use either: six lines intersecting two can project to any collection of twelve 
points. 

To highlight the projective nature of Theorem II 11 we may rewrite © in a form that is 
invariant under projection: 







743^4 B1B2 B3C3 B/^Ci A2A4 B1B3 B2C2 



+ 



A1A2 



B1B4 
B3B4, 



A3C3 
BiCi 



AiCi 
B2C2 



AiAi 
A1A3 



B1B4 
B2B4 



A2C2 
BiCi 



B4C4 ^ A2A3 



B2C2 B3C3 



A^Ca 
B3C3 



+ 



AiA^ 
B2B3 



A2C2 
BiCi 



A3C3 
B/^C/^ 



AiAa BiBa AiCi A2C2 AiAi B1B4 AiCi A3C3 BiB^ AiCi A^Ca 



where for parallel AB and CD equals when the two segments have the same 
direction, and 



otherwise. 

Finally, we transform ^ to draw an analogy with 



det 



(AiBi 
A2B2 
A3B3 

\A4B4 



AiCi 
A2C2 
A3C3 
Aid 



CiCi 
C2C1 
C3C1 
C4C1 



AiBi 
A2B2 
A3B3 
AiBi 



BiBi ■ AiCi\ 
B2B1 ■ A2C2 
B3B1 ■ A3C3 
B4B1 ■ A4C4J 



(9) 
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